Lucene search

IBM488FCEF71EF7DA59C44B85E01B61C9E6F64222BB3CB2279E3106224EAB4D58C5

HistoryOct 01, 2018 - 2:20 p.m.

Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private (CVE-2018-0739,CVE-2017-17512, CVE-2018-1000122)

2018-10-0114:20:02

www.ibm.com

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Summary

IBM Cloud Private is vulnerable to multiple security vulnerabilities

Vulnerability Details

CVEID: CVE-2018-1000122 DESCRIPTION: curl could allow a remote attacker to obtain sensitive information, caused by a buffer over-read in the RTSP+RTP handling code. An attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140316> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID: CVE-2017-17512 DESCRIPTION: sensible-utils package for Debian could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to validate strings before launching the program specified by the BROWSER environment variable in sensible-browser. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136182> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-0739 DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140847> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Cloud Private 2.1.0

Remediation/Fixes

For the 2.1.0.x releases, upgrade to version 2.1.0.3 Fix Pack 1, and apply patches

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud privateeq2.1.0

CPE	Name	Operator	Version
	ibm cloud private	eq	2.1.0

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Related for 488FCEF71EF7DA59C44B85E01B61C9E6F64222BB3CB2279E3106224EAB4D58C5